CVE-2024-52498: 
WordPress vulnerability analysis and mitigation

The SP Blog Designer WordPress plugin version 1.0.0 and earlier contains a Path Traversal vulnerability that allows PHP Local File Inclusion. The vulnerability was discovered and reported by João Pedro S. Alcântara (Kinorth) on October 2, 2024, and was publicly disclosed on November 20, 2024. This security issue affects all versions of SP Blog Designer through version 1.0.0, with no official fix available as the software appears to be abandoned (Patchstack).

The vulnerability is classified as a Path Traversal: '.../.../' type vulnerability (CWE-35) that enables PHP Local File Inclusion. It has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor-level privileges to exploit (Patchstack, NVD).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents on the screen. This could potentially lead to exposure of sensitive information, including database credentials, which depending on the configuration could result in complete database compromise (Patchstack).

Since no official fix is available and the software appears to be abandoned (last updated over a year ago), the recommended mitigation is to remove and replace the SP Blog Designer plugin with an alternative solution. Note that merely deactivating the plugin does not remove the security threat unless a virtual patch (vPatch) is deployed (Patchstack).